6.9

CVSS Score

Basic Information

CVE ID

CVE-2025-32025

GHSA ID

GHSA-fmhh-rw3h-785m

EPSS Score

CWE

CWE-770

Published

4/9/2025

Updated

4/9/2025

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-32025

CVE-2025-32025:
bep/imagemeta allows a potentially large memory allocation in PNG and WebP parsing

Impact

The buffer created for parsing metadata for PNG and WebP images was only bounded by their input data type, which could lead to potentially large memory allocation, and unreasonably high for image metadata. Before v0.11.0, If you didn't trust the input images, this could be abused to construct denial-of-service attacks.

Patches

v0.11.0 added a 10 MB upper limit.

(GitHub Advisory)

6.9

CVSS Score

Basic Information

CVE ID

CVE-2025-32025

GHSA ID

GHSA-fmhh-rw3h-785m

EPSS Score

CWE

CWE-770

Published

4/9/2025

Updated

4/9/2025

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/bep/imagemeta	go	< 0.11.0	0.11.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability description states that the buffer created for parsing metadata was unbounded, leading to potential large memory allocation. The provided commit ee0de9b029f4e82106729f69559f27c9a404229d directly addresses this. The changes in io.go introduce a maxBufSize constant (10MB) and modify the bufferedReader function. Specifically, the bufferedReader function, which is a method of streamReader, now checks if the requested length for the buffer exceeds maxBufSize. If it does, an error is returned, preventing the large allocation. Therefore, (*streamReader).bufferedReader was the function where the unbounded allocation could occur, making it the vulnerable function. The changes in imagemeta.go are related to error propagation from a goroutine and do not directly involve the memory allocation logic itself, though they are part of the same commit. The changes in imagemeta_test.go are for testing purposes.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t T** *u***r *r**t** *or p*rsin* m*t***t* *or PN* *n* W**P im***s w*s only *oun*** *y t**ir input **t* typ*, w*i** *oul* l*** to pot*nti*lly l*r** m*mory *llo**tion, *n* unr**son**ly *i** *or im*** m*t***t*. ***or* `v*.**.*`, I* you *i*n't

Reasoning

T** vuln*r**ility **s*ription st*t*s t**t t** *u***r *r**t** *or p*rsin* m*t***t* w*s un*oun***, l***in* to pot*nti*l l*r** m*mory *llo**tion. T** provi*** *ommit `****************************************` *ir**tly ***r*ss*s t*is. T** ***n**s in `io.

6.9

Basic Information

Concerned about an active attack path?

CVE-2025-32025: bep/imagemeta allows a potentially large memory allocation in PNG and WebP parsing

Impact

Patches

6.9

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2025-32025:
bep/imagemeta allows a potentially large memory allocation in PNG and WebP parsing

Vulnerability Intelligence
Miggo AI